We have reorganised the order of displaying attacks to focus on the Telnet/FTP/Coordinated attacks as the RELAY attacks have largely disappeared due to
the same machines being used for all the attacks which are clearly documented and which attempts are blocked. These are listed now in section 3.

Server attacks are very interesting as the identity of the person doing the attack is clear in that they cannot use relay machines, and also the
coordinated features indicate the identity of the parties that are trying to work together.

When a server has been involved in one of these illegal activities, we block that server for the next 6 months stopping them getting any access to the 9000
pages of information on the website.

There are some interesting partners in these attacks, such as sites in IRAN and ISRAEL being involved in simultaneous attacks (although attacks from the ISRAEL
site have stopped possibly after a visit to their computers by the authorities.)

There are people who try to do the probing inconspicuously and others who must be novices and don't understand what is going on. One site called Tedata
which is in Egypt 28km along the Alexandra road in the desert, has a couple of large blocks or IP addresses organised in 20 blocks. When one block is stopped
they immediately switch to the next block of addresses the very next session and eventually all 20 will be blocked and for 6 months they will have no access to the
information on this site.

Turkey needs a special mention as they are listed as the seventh biggest spammers in the world. If you block the site dynamic.ttnet.com.tr you will neutralise many of their attacks
as the spammers like to hide in dynamic allocated IP addresses where they can't easily be traced - as against the majority of the globe using static
connections. Blocking dynamic.ttnet.com.tr will not lose much business as serious users of the internet are mostly on static addresses. Have a
look through the following tables for dynamic.ttnet.com.tr entries.

This section relates to some observations that would be of interest to readers
who operate internet servers and please skip if not of interest.

Denial off service attacks(DOS)
During the week 7 July we experienced a major denial of service attack from a server in The Netherlands.
This involved sending about 43000 emails over a 16 hour period. We succeeeded in getting the DOS site closed down
as these sites by their nature show themselves and leave them open to having computers confiscated in the case of criminal
charges, or having their links to the internet disconnected by service providers while investigating the attack, both rendering the attacker powerless.

There are protection mechanisms in setting up a linux server to protect the server fronm experiencing any damage
during the attack - the only problem being that others can't send you emails during the attack.

Having researched the protection from DOS attacks on the internet, we are recording what we did to help others,
knowing that these information pages on attack sites are regularly classified by the search engines (about 100 times a day) and others will be
able to find the information.

In setting up the sendmail configuration file three settings seem important

Limit the number of children processes that can be started (to say 12) - this means that a maximum
of up to 12 emails will be in process at one time and all others will be told to hold off.

Limit the number of mail requests received per second (say to 8) - if more than this request rate is received
other mails are told to hold off for a while and no new requests are processed.

Limit the maximum file size for incoming emails to say 4MByte each so as not to tie up the comms line receiving
a large number of unwanted emails.

During the actual attack, the server was idle with respect to emails but continued to perform all its other functions.

Having identified the attacker by the entries in the /var/log/mailog file, we did a WHOIS lookup to find the details of the registrant of the
IP address - and we did a TRACEROUTE back to the attack server to find the electronic location of the attacking server.

We then emailed to the abuse address, the technical support address and the owner address as listed in the WHOIS record our complaint
together with an extract of the log file from the /var/log/mailog record and a copy of the above trace route to show the location of the server.

About thirty minutes after these emails were sent the DOS attack ended. An hour later we received an email from the administrator
to say that the internet feed to this server had been temporarily suspended while the attacks reported were been investigated.

Historic
For the past 16 years we have been serving information from
a stand alone webserver running a linux operating system. The server
supplies about 3.2 million documents per annum in the form of HTML, PDF and
JPG files. In the whole 16 years, on only about five occasions has it stopped
and needed a reboot. Two of these stoppages have happened in the past eight months
and as a result we have been investigating the cause. Usually nobody looks
at logfiles as everything is running smoothly until there is a problem.
Because of the actions listed below, it is six months since our server last stopped.

We found that the reason the machine had stopped was due to simultaneous
attacks from about 300 machines distributed all over the globe on our server
at virtually the same instant. This overloaded a stack causing the machine to stop.
What was interesting about the attack was the distribution of the attacking
servers and their time coordination. We have since limited the number of child processes
that can be started at any time and made the machine bullet proof.

These attacks are trying to identify access points to the website and passwords.
They involve trying to Telnet or FTP into the site so that one can alter files on the site.
Access to these services is restricted to those IP addresses that are listed in the hosts.allow files
and then those that can provide a correct login name and password. All accesses and attempts to access the machine via
this method are recorded in log files. Analysis of these files show attempts from the following sites and the number of attempts.

From the 15th December we are only showing the number of unique sites attacking per 24 hours. This is because the frequency of attacks have virtually fizzled out.

When a site attacks us via a Telnet or FTP operation it is listed in the blocking files for at least one year preventing users of that site
having access to this website. In order to get access to the website via Telnet and FTP operations, you have to be listed in the hosts.allow files and also NOT listed
in the blocking file. Only after that will you be asked to login and then provide a password. In the past year not a single one of the attacking sites have
made it to the section where they are asked for a login.

If any other webmaster wants a list of the attacking sites in our blocking list - please feel free to ask

We are interested when machines from different countries all try to do the same illegal function within 5 minutes of each other.
Normal operation would have no entries in this list as all these reports are exceptions to normal operation.
Codes tnt=telnet ftp=ftp pop=pop Two digit country code before decription

Attacks via relay sites
From the 10th November 2013 we have stopped listing the relay attack sites. Our server has now been running without a single stopage for
298 days and these types of attacks have become ineffective since we have identified almost all the main relay
sites used for attacks. At the peak, we were dealing with 40000 attacks in a single day and now we
get barely 400 of which we know 90% of all the sites involved. We do still however block the 3000 relay sites that have been involved in attacks on our site.

Details of the attack sites prior to 10 November 2013 are still listed in the archive and blocking these sites will most probably remove
all problems.